Restricting Service Account Usage

The Resource Manager provides constraints that can be used in organization policies to limit the usage of Cloud Identity and Access Management service accounts.

When you set these constraints, they apply to future creation of and modifications to service accounts. These constraints are not retroactive and will not affect previously created and configured service accounts.

Disable service account creation

You can use the iam.disableServiceAccountCreation boolean constraint to disable the creation of new service accounts. This allows you to centralize management of service accounts while not restricting the other permissions your developers have on projects.

Disable service account key creation

You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint.

Setting the policy

The service account restriction constraint is a type of boolean constraint.

You must have permission to modify organization policies to set this constraint. For example, the resourcemanager.organizationAdmin role has permission to set organization policy constraints. Read the Using Constraints page to learn more about managing policies at the organization level.

gcloud alpha resource-manager org-policies enable-enforce \
    --organization 'ORGANIZATION_ID' \
    iam.disableServiceAccountCreation

gcloud alpha resource-manager org-policies enable-enforce \
    --organization 'ORGANIZATION_ID' \
    iam.disableServiceAccountKeyCreation

disable-enforce

To learn about using constraints in organization policies, see Using Constraints.

Example policy

The following code snippet shows an organization policy including the disable service account creation constraint:

resource: "organizations/842463781240"
policy {
  constraint: "constraints/iam.disableServiceAccountCreation"
  etag: "\a\005L\252\122\321\946\334"
  boolean_policy {
  enforced: true
  }
}

The following code snippet shows an organization policy including the disable service account key creation constraint:

resource: "organizations/842463781240"
policy {
  constraint: "constraints/iam.disableServiceAccountKeyCreation"
  etag: "\a\005L\252\122\321\946\334"
  boolean_policy {
  enforced: true
  }
}

Error Messages

Disable service account creation

If iam.disableServiceAccountCreation is enforced, creating a service account will fail with the error:

FAILED_PRECONDITION: Service account creation is not allowed on this project.

Disable service account key creation

If iam.disableServiceAccountKeyCreation is enforced, creating a service account will fail with the error:

FAILED_PRECONDITION: Key creation is not allowed on this service account.

Troubleshooting Known Issues

Default service accounts

Applying the iam.disableServiceAccountCreation constraint will prevent the creation of service accounts in that project. This limitation also affects GCP services that, when enabled, automatically create default service accounts in the project, such as:

• Compute Engine
• GKE
• App Engine
• Cloud Dataflow

If the iam.disableServiceAccountCreation constraint is applied, attempting to enable these services will fail because their default service accounts cannot be created.

To resolve this issue:

1. Temporarily remove the iam.disableServiceAccountCreation constraint.
2. Enable the desired services.
3. Create any other desired service accounts.
4. Finally, re-apply the constraint.